The DeriaLock, PHP and OpenToYou Ransomware Pieces Cracked

The OpenToYou, DeriaLock, and PHP Ransomware pieces, which appeared on the malware stage during the past couple of weeks, have been cracked as a free decryption tool is available for each one. Two of them – PHP and DeriaLock – were discovered by the Check Point security firm which recently joined the No More Ransom (NMR) initiative.

Researchers say that DeriaLock was detected right before Christmas but at this point, it was only capable of locking users’ screens and preventing from controlling them. However, the ransomware`s developers needed only two days to add file-encryption capabilities to their product. Also, the ransomware started threatening its victims that it will delete all their data if they try restarting their machine. While at first, these were only empty threats, soon after, the developers actually improved their ransomware to be able to deliver on this.

So, now the newest DeriaLock version has screen-locking capabilities, it encrypts victims` data and it is able to delete it if the PS is restarted. However, Check Point experts managed to find vulnerabilities in the ransomware which allowed them to create a tool that unlocks users` files for free. They warn that all users to be extra careful while using the decryptor and strongly recommend rebooting the PC in safe mode as well as creating backups of the most important files before starting the process.

The other threat that Check Point spotted is called the PHP ransomware although it is more of a script than a ransomware. It does encrypt victims` files but it does not display any ransom notes, it does not ask for a ransom any other way and it does not try to communicate via a C&C server at all.

PHP looks for files which specific extensions and alters the access permissions for writing, reading and executing them. Then, it encrypts the first 2048 bytes of every file (or the whole file if it is smaller than 2048 bytes) and appends the “.crypted” extension. For decryption data targeted bu the PHP “ransomware,” all victims need to do is run the decryptor.

The third ransomware piece which researchers managed to crack is OpenToYou Ransomware. This time the credit goes to the Emsisoft security company. According to them, OpenToYou adds the “.-opentoyou@india.com” extension at the end of each encrypted file. Also, all victims are encouraged to contact the crooks via the same email address which is used as an extension. This ransomware created a password string and then uses SHA-1 to derive an encryption key from it. This key is used to lock the users` files with the RC4 algorithm.

During the encryption process, the malware targets files on all drives, but it skips %USERPROFILE%\AppData and various other folders on the C:\ drive: Windows, $Recycle.Bin, Users\All Users, Logs, Program Files, Program Files (x86), ProgramData, nvidia, intel, Boot, bootmgr, PerfLogs, Drivers, MSOCache, and Program install. And, A C:\bootmgr is not a folder but a file, OpenToYou encrypts the boot loader “bootmgt” on Windows PCs that boot up using the Master Boot Record (MBR).

The result is the victim not being able to boot the computer up after a restart. Once the encryption is over the ransomware drops a classic ransom note informing the victims their files has been locked and prompting them to get in touch with the ransomware devs via email.

According to Emsisoft, the OpenToYou ransomware is still a work in progress as it creates a “C:\Logs\” folder on the infected computers and uses it to temporarily store files and debug data. However, as the content of this folder is always the same, the experts can easily detect the ransomware presence on a PC.

Simona has graduated First language school - Varna, Bulgaria with a main focus on English philology. In 2016 she received her Bachelor`s Degree in International Economic Relations from the University of Economics – Varna. Simona has been taking journalism classes in Sofia University “St. Kliment Ohridski” for a year and, currently, she is presenting all cyber-security and cyber-thread related news at www.virusguides.com.